Performance problem when Apply Changes with Large FW Ruleset

breeze

Hi,

We are currently running PFSENSE 2.4.2-RELEASE-p1 and have a very large firewall ruleset (currently 7,391 rules in pfctl), which we recently reduced down from ~10,000.

After hitting "apply changes" on the firewall rules we start seeing (1-10%) packet loss to the gateway. The duration and severity of the packet loss seems to correlate with the amount of rules.

We have added more resources to the VM and the CPU does not exceed ~50%, RAM usage is only ~10%.

Has anyone else run into this problem? At the moment we are mitigating by performing changes at night and are spinning up additional pfsense instances to move services onto.

Thanks.